As Seattle and Silicon Valley grapple with the impact of the novel coronavirus, Microsoft fixed a large batch of vulnerabilities Tuesday, as part of its regular monthly software updates. According to security researchers with Cisco Talos, this month’s update fixed 117 vulnerabilities. Twenty-five of them were rated “Critical”, ninety-one “Important,” and one ”Moderate”.
But what stood out to security researchers and “Patch Tuesday” followers was the patch that wasn’t there.
Both Cisco Talos and Fortinet initially released information about another vulnerability, identified as “CVE-2020-0796,” that wasn’t patched. While Cisco updated its advisory to remove information about the vulnerability, its followers on Twitter caught the discrepancy and the redaction quickly and saved the information. The community also started to speculate about the nature of the vulnerability and its risk. Some researchers quickly dubbed the vulnerability “SMBGhost”: the Server Message Block vulnerability that’s there but not visible.
CVE-2020-0796 – a "wormable" SMBv3 vulnerability.
Great…
???? pic.twitter.com/E3uPZkOyQN— MalwareHunterTeam (@malwrhunterteam) March 10, 2020
Researchers around the world were quick to point out that this was an unauthenticated, network-based, remote code execution vulnerability in Microsoft Server Message Block (SMB) handling that could give system-level privileges. In other words, this has a lot in common with the vulnerability known as CVE-2017-0144, which the EternalBlue exploit attacked and was later key in the WannaCry and NotPetya attacks in 2017. In a bit of deja vu, that vulnerability was also patched in March of that year.
Later on Tuesday, Microsoft released a security advisory (ADV200005) with details about a new, unpatched vulnerability and information on a workaround: steps people can take to protect against attempts to exploit the vulnerability without a patch. While the advisory doesn’t specifically speak to CVE-2020-0796, the details matched those released about that vulnerability and the research community quickly matched the two.
As of this writing, there is no patch available and no official timeline from Microsoft for when the patch might be released.
Assessing the Risk
The words “EternalBlue”, “WannaCry” and “NotPetya” are enough to send alarm bells ringing for security teams. The WannaCry and NotPetya attacks were hugely disruptive and costly in 2017. Maersk, for example, suffered a global shutdown for weeks and major losses because of NotPetya, as detailed by WIRED. The prospect of another vulnerability like EternalBlue raises concerns of a repeat of either or both of those attacks.
Additionally, the timing of this new critical vulnerability is especially challenging as many security and operations teams are working from home due to the response to the novel coronavirus in the United States. This makes implementing workarounds and patches even more challenging.
Finally, as if to prove the adage that “trouble travels in threes,” the very same day this broke, the security world was grappling with reports that two attendees at the annual RSA security conference in San Francisco, held two weeks ago, had tested positive for Coronavirus, with one reportedly hospitalized.
Against this backdrop, this latest development can seem alarming.
However, there are some key points of difference worth keeping in mind that makes this not as dire as the EternalBlue situation three years ago.
- Disclosure and Exploit Code Situation: Unlike the EternalBlue situation, indications are that this vulnerability was found by Microsoft, and that there is no functioning exploit code that can attack it currently. This is fundamentally different from the EternalBlue situation where there were exploit tools that could attack the vulnerability already circulating at the time of patch release.
- Scope of Vulnerable Systems: The Microsoft security advisory for this vulnerability lists only Windows 10 and Windows Server versions 1903 and 1909 as being affected. While this isn’t good for Microsoft’s “Newer is Better” security story, it is a significantly smaller pool of vulnerable and potentially attackable systems than we saw with the EternalBlue situation.
- Workaround Available: Once again, unlike the EternalBlue situation in 2017, there is a viable workaround that can be implemented immediately to help protect systems until they’re patched. Even better, Microsoft notes in their advisory, “No reboot is needed after making the change,“ and, “No reboot is needed after disabling the workaround.” This means the workaround can be made without incurring downtime by rebooting systems. Another good thing: this vulnerability occurs in the handling of SMB V3 compression, a fairly new feature. This means the impact of the workaround should be relatively painless, as well.
Overall, while the timing of this situation is challenging and at first blush raises alarm bells, the technical facts make this a critical situation but not a dire one. The fact that this impacts the latest versions of Windows Server can have a particular impact on cloud providers. But the presence of an easy-to-implement and roll-back workaround that has minimal impact means that organizations can and should implement that workaround immediately and keep it in place until there is a patch. Microsoft has already provided one-line PowerShell scripts to implement and roll back the workaround, meaning it can be deployed broadly relatively quickly even by teams working remotely from home.
We don’t know why there was no patch and when one is coming. But the good news is there are simple, clear, concrete steps that organizations can take today to help protect themselves and others. And while the timing of this relative to coronavirus isn’t great, the guidance we all have with that pertains here: don’t panic, and follow simple, sensible steps, and you’ll help protect yourself and the broader community.
